inWebo

San Francisco, CA – December 3, 2018 – ForgeRock, the leading platform provider of digital identity management solutions, today announced a major milestone in advancing its technology partner ecosystem, in welcoming 54 partners to its ForgeRock Trust Network. Program Unites Leaders in Strong Authentication, Risk and Fraud and Related Fields to Extend Value in ForgeRock Identity Platform. The Trust Network was created to unify ForgeRock’s extensive community of technology partners for customers to seamlessly integrate complementary technologies and realize the highest value from their ForgeRock Identity investments.

inWebo was one of the early partners to join Forgerock Trust Network in 2017 and is pleased to announce the release of a certified extension module for ForgerockAM. That module enables Forgerock customers to benefit from inWebo multi-factor authentication, thus enhancing the security of their applications, meeting compliance requirements, and making it easier for their internal and external users to access trusted applications.

Ben Goodman, Vice President, Global Strategy & Innovation, said, “The ForgeRock Trust Network for Technology Partners was built to deliver capabilities beyond our own identity platform, and the reception from our partner community and customers has been overwhelming. The Trust Network is unlike the typical ‘partnership by press release’ program seen in our industry, as our partner directory is loaded with integrated solutions that have been certified, to give customers technical confidence and cost predictability. As the identity ecosystem continues to expand, the ForgeRock Trust Network of partners will continue to deliver unmatched innovation to those who use our platform.”

Jeff Sherwood, Director of Business Development for inWebo North America, said, “Strong Authentication (MFA) has become a critical part of modern Identity & Access Management projects. We are very excited to partner with Forgerock, a global leader in IAM & CIAM, and thus to deliver a certified interoperability between ForgerockAM and inWebo MFA platform. It will greatly help Forgerock customers meet their compliance requirements while reducing the time and costs needed to protect their applications, as well as the pain for internal and external users.”

About inWebo
inWebo is a leading vendor of B2B solutions for multi-factor authentication (MFA) and local access (IWLA). inWebo makes customers, members, and employees access to VPN, IAM, web, Cloud, and IoT applications & devices more secure, but also easier. Our technology seamlessly adds a layer of security during authorization by turning user devices including laptops, cell and smartphones, or tablets into trusted authentication methods. It uniquely combines certified hardware-grade security with extreme ease of use. inWebo protects millions of identities for global organizations. Visit us at inwebo.com.

About ForgeRock
ForgeRock® is the Digital Identity Management company transforming the way organizations build trust and interact securely with customers, employees, devices, and things. Organizations adopt the ForgeRock Identity Platform™ as their digital identity system of record to monetize customer relationships, address stringent regulations for privacy and consent (GDPR, HIPAA, FCC privacy, etc.), and leverage the internet of things. ForgeRock serves hundreds of brands, including Morningstar, Vodafone, GEICO, TomTom, and Pearson, as well as governments such as Norway, New Zealand, and Belgium, among many others. Headquartered in San Francisco, California, ForgeRock has offices in Austin, London, Bristol, Grenoble, Munich, Paris, Oslo, Singapore, Sydney and Vancouver, Washington. ForgeRock is privately held, backed by leading global venture capital firms Accel Partners, Foundation Capital, Meritech Capital and KKR. For more information and free downloads, visit www.forgerock.com

From Security-by-Design to Privacy-by-Design

In the weeks and days before (and after) May 25th 2018, everyone’s mailbox has been filled with emails such as “GDPR update” or “Update of our Privacy Policy”. You might wonder why you have not seen any of these from inWebo, what we have done about the matter, and how ready we are.

inWebo’s business is identity protection. We design and implement cyber-security techniques to protect our customers’ user identities. PIIs (Personally Identifiable Information) are highly protected in our systems, using strong encryption, crypto-servers, firewalls, etc. GDPR requirements in terms of security are met and exceeded. However, GDPR is much more than that, therefore we had to figure out the journey from our “security-by-design” starting point to a “privacy-by-design” destination.

Here are the various topics we addressed and what our approach is:

User consent to data processing purposes: as a B2B provider of authentication solutions, we do not collect data from the end-users of the solution, our customers do. We collect data from administrators when they create their organization account, for the sole purpose of creating that account and giving access to it.

Minimal set of data: we only store in our systems the user data that is necessary for our customers to operate and monitor the authentication solutions we provide them, such as a username, an email address, and authentication usage data (time and date, IP address, authentication status). It is our customers’ responsibility to use anonymous aliases instead of usernames and to not store email addresses if they do not use features such as “Reset PIN with email” that need it.

Data governance: that was a benefit of GDPR to have us design a data governance and a data retention policy. We have now standardized our data retention durations: by default, authentication and other usage data is kept one year. Also, all organization account data are deleted maximum 6 months after an organization account expiration. Customers who need a longer retention duration e.g. for long-term security analysis can subscribe to an archiving option.

Access to data and traceability: since we operate the authentication platform and since we rely on service providers for some aspects of the solution (email service provider and hosting service provider among others), we needed to design and enforce policies for access to data, both for ourselves and for our service providers. Service providers have issued their own GDPR compliance statements and we have analyzed that they are compatible with our goals and practices. For ourselves, by default we never access user data unless a customer requires us to do so, for instance in order to troubleshoot an issue. We have formalized how our operational teams authorize and log such requests.

Data protection: critical data such as authentication factors are encrypted with crypto-servers (HSMs) in our platform. Usernames are usually not critical information (if it is, it is our customers’ responsibility to use aliases instead) and they are needed in plain text e.g. to run search queries. Other identifiers such as email addresses or “trusted devices” names are usually not critical information but we have nevertheless decided to encrypt it at rest.

Rights (to access, to modify, to be forgotten): we do not know the end-users of our customers and have no way to match a request that we would receive with an actual end-user in our platform, or to verify that such a request is legitimate. Besides, if one of our customers has created an authentication profile for a user in our platform, our responsibility is to not access it, not modify it, and not delete it. Therefore our role is to provide our customers with the tools and processes they need to answer their users’ requests, e.g. an API function to delete user data in the authentication logs in our platform. Nevertheless, we have created an email address for privacy and PII-related requests from end-users. We will limit our role to reply to emails advising the user to send his/her request to his/her organization or service provider.

Update of our privacy policy and of our general terms: we have updated our privacy policy and our general terms in January 2018 in order to include the changes resulting from our GDPR compliance.

San Francisco, April 2nd, 2018 – For those of you who will travel to RSA in 10 days from now, time will be the most scarce resource. Recognizing that, we propose you a “speed-dating” format with inWebo: let’s connect or catch up during 20 or 40 minutes in the exhibition halls (no wasting of your time by having to leave the conference venue). We’ll propose a longer follow-up call or demo in the following weeks if you’re interested, but at least we’ll have met in person – a must in the security and trust industry, don’t you think?

This year we have a lot of exciting updates. Let me name a few: Authenticator 6 for both smartphones & desktops, support of SCIM and OpenID Connect, AI-based behavioral / adaptive auth, 2FA for Windows Logon, a brand new & exclusive security framework for local sign-in for IoT applications… One more exciting update: I’ll be with Jeff Sherwood who joined inWebo last year as the Director of Business Development for North America.

We’d like to use a little bit of your time to connect or catch up and discuss how we partner with organizations like yours to deliver the best of identity security.

San Francisco and Paris, December 18th, 2017 – inWebo Technologies expands its security portfolio for IoT security by launching a new offering called inWebo Local Authorization.

Service providers in verticals such as Connected Cars, mobility services, Smart Cities, Connected Home, Connected Health, etc., can now benefit from inWebo exhaustive framework for secure access control, both to cloud-based IoT services and to local IoT resources.

« In a first wave of IoT services, service providers have requested access control solutions to protect their cloud-based services. inWebo has met these requests by successfully adapting and implementing its multi-factor authentication solution in connected-car services for instance », said Didier Perrot, CEO at inWebo Technologies. « In a second wave, service providers need new solutions for secure access control to local resources such as vehicles, locks, meters, ticketing systems etc., that are not constantly connected to a central authorization platform via the Internet. These ‘offline’ use cases are becoming mainstream in the IoT and demand a new security approach to protect the IoT resources and businesses, while being extremely easy and intuitive to use. This is what inWebo Local Authorization now enables. We’re now willing to partner with more service providers to make the IoT a secure place. ».

Developing a framework for secure local access control has required a significant R&D effort and has led to a patent application. inWebo Local Authorization (IWLA) is an alternative or a complement to connectivity solutions, such as 3G or low-bandwidth mobile connectivity.

IWLA allows a resource such as a lock or a driverless vehicle to take a local authorization decision to give access to a user based on the verification of a virtual key that includes non-spoofable claims and rights about the resource. A virtual key is carried in a smartphone App for instance. The verification happens instantly without the need for the resource or the smartphone to connect to a central server. The verification doesn’t expose the key itself, thus preventing a wide range of attacks.

inWebo provides an API to issue and manage smart locks and virtual keys, based on an infrastructure that makes extensive use of FIPS-certified hardware security equipment. IWLA is therefore both extremely secure and extremely easy to implement by service providers.

The selection of the “right” MFA solution can be tricky. First, because there’s a constant flow of innovation in the authentication industry, resulting in numerous and diverse technologies even for solutions supposedly following a standard. Second, because the applications and environments needing MFA are also very different (cloud vs. onprem, legacy vs. web, ldap vs. radius, SAML, or OIDC, etc.). Lastly because not all solutions have the same objectives or protect against the same risks. Read More

Forgerock announced today the extension of its technology partnership program, of which inWebo is now a member. See the full press release and partner directory featuring inWebo.

“For years, Forgerock and inWebo have been sharing a common vision of Identity and Access Management for Web applications, IT applications, and now IoT”, said Didier Perrot, CEO at inWebo. “This renewed partnership and the investment we make in integrating inWebo MFA solution with Forgerock products will allow any organization to take a best-of-breed and future-proofed approach to IAM and security, combining Forgerock’s leading identity platform and inWebo’s innovative MFA and local authorization framework.”.

it-sa 2017

inWebo will be at it-sa 2017 (InfoSec Germany) in Nuremberg, October 10-12, 2017. Read the program here

If you would like to take this opportunity to schedule a discussion with us and go through your authentication and access security challenges, please fill out the form below. We’ll make our best to accommodate your preferences.

Data Connectors Security Conference in Austin

inWebo is a proud sponsor of the 2017 edition of the Data Connectors conference in Austin, on October 5, 2017. Representatives of inWebo and of our partner The SCE Group will be on our booth.

If you would like to take this opportunity to schedule a discussion with us and go through your authentication and access security challenges, please fill out this form. We’ll make our best to accommodate your preferences. You may also visit our booth without a scheduled appointment and talk to the next available representative.

Les Assises in Monaco

inWebo will be at Les Assises de la Sécurité 2017 (InfoSec France) in Monaco, October 11-14, 2017. Representatives of inWebo and of our Hexatrust partners will be on our booth. We will also participate to a panel on blockchain security. Read the program here

Data Connectors Security Conference in New York City

inWebo is a proud sponsor of the 2017 edition of the Data Connectors conference in New York City, on November 9, 2017. Representatives of inWebo and of our partner The SCE Group will be on our booth.

If you would like to take this opportunity to schedule a discussion with us and go through your authentication and access security challenges, please fill out this form. We’ll make our best to accommodate your preferences. You may also visit our booth without a scheduled appointment and talk to the next available representative.